CVE-2019-7589

A vulnerability with the SmartService API Service option exists whereby an unauthorized user could potentially exploit this to upload malicious code to the server that could be executed at system level privileges. This affects Johnson Controls' Kantech EntraPass Corporate Edition versions 8.0 and prior; Kantech EntraPass Global Edition versions 8.0 and prior.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
jciCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
VendorProductVersion
johnsoncontrolsentrapass
𝑥
< 8.10
johnsoncontrolsentrapass
𝑥
< 8.10
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
https://www.us-cert.gov/ics/advisories/icsa-20-070-04
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
https://www.us-cert.gov/ics/advisories/icsa-20-070-04